Slashdot Mirror
Microsoft Raises Security Game, Notes Shortcomings Elsewhere
LMCBoy writes "Steve Ballmer recently told an industry conference that Microsoft software is more secure than Linux. PJ at Groklaw has a nice, thorough analysis of this dubious claim. She points out that not only are there vastly more Microsoft exploits reported, but that the exploits tend to be much more severe, involving remote administrator access." In related news, mhesseltine writes "According to an article from the Washington Post, in an unusually ironic twist, Microsoft has started talking smack about their own products, instead of those of their competitors. Bill Gates said of Office 'it's too hard to find things in e-mail' and described some features of Word as 'clunky.'"
Do you think it could POSSIBLE be due to the fact that Office 2003 just came out and the need to find a reason to get people to buy it?
"Bill Gates said of Office 'it's too hard to find things in e-mail' and described some features of Word as 'clunky.'""
When the version of Linux is Lindows and it's adminstered by a monkey who leave it lying around a student lab logged in as root.
On a more serious note, securit depends more on the person administering it than the software itself up to a point. Sure you _can_ leave yourself wide open on Linux as well as on Windows, it's just that on Windows it's much easier (eg using OE or IE or not turning off messaging services or RPC) compared to Linux (installing something compromised or bad physical security).
Beep beep.
Microsoft has started talking smack about their own products, instead of those of their competitors
I guess when you are so proficient at talking smack you are likely to hit one of your own at some point.
Of course the clunkiest feature of Office is the part where you have pay several hundred dollars for it. I wish they'd get that bug ironed out already.
I watched C-beams glitter in the dark near the Tannhauser gate.
Wednesday, October 22 2003 @ 06:44 AM EDT
... disputed the notion that open-source code is more secure than Windows. 'The data doesn't jibe with that. In the first 150 days after the release of Windows 2000, there were 17 critical vulnerabilities. For Windows Server 2003 there were four. For Red Hat (Linux) 6, they were five to ten times higher,' he said.
...well, what would be the precise word here? You hate to say lying. It's so cold.
You know I couldn't resist covering this story. Microsoft's Steve Ballmer picked up his glove and slapped Linux across the face in a speech given at an industry conference thrown by...who else, Gartner?
In his speech, he said some peculiar things about security:
"Ballmer
"'The vulnerabilities are there. The fact that someone in China in the middle of the night patched it--there is nothing that says integrity will come out of that process. We have a process that will lead to sustainable level of quality. Not saying we are the cat's meow here--I'm saying it is absolutely not good reasoning to think you will get better quality out of Linux.'"
Ballmer's being a naughty boy again. China indeed. "In the middle of the night." Trying to frighten the children with overtones. And playing with numbers. What year is it again? Red Hat 6? Pardon me for pointing it out, but they are up to 9 now. He's choosing a 150-day period from back in the day -- and I wonder how long it took to pick the best segment of time to use -- and using that for comparison? There is a lot that can be said about this, but it's not really necessary to do any research on this sad subject, I don't think. Everyone on a Windows box just went through the worst summer and fall of security issues of all time. They already know he's just
However, let's do a little research, just for fun.
Judge for yourself which operating system is more vulnerable to security problems by going down the list on CERT's Incident Notes page. It goes back to 1998. And here is their Current Activity page. It's almost all Microsoft issues. Here's their Vulnerabilities Notes page. It's all Microsoft, except for one, which isn't Linux. Here is their most recent quarterly summary. And after you look at all the data, what do you think now? Was Mr. Ballmer accurate? The only way I could find Linux prominently on any list was to type it into the Customized Search engine by itself on this page , and then when you get to the list, it's a list for all vulnerabilities of all the distributions of Linux, not just Red Hat. I couldn't find anything equivalent to Microsoft announcing a vulnerability and then saying there was no patch and you should just shut that particular functionality down. Ballmer said there were 17 critical vulnerabilities in Windows 2000 in the 150-day period and that Red Hat had considerably more. But look at the list: it shows only 16 vulnerabilities for all flavors of Linux for the entire year of 2000. CERT only lists the big ones, but Ballmer did say "critical". It makes you wonder where he got his numbers from or how he defines "critical".
Funny he would choose such an old time period, don't you think, for his comparison? Maybe it's because looking at July through October of this year would be devastating? I see only two Linux vulnerabilities on the list for that time period, both buffer overflow vulnerabilities, so evidently there has been considerable improvement on the Linux side.
Look at what could happen to you on a Windows box in the first two weeks of September 2003, though, just using a handful of the many recent vulnerabilities here and here and here and here and here and here and here. I didn't include July and August or October or the rest of September, out of kindness. Now, what Mr. Ballmer needs to do is show me anything like that kind of news coverage of security vulnerabilities in GNU/Linux, for any two week period. And speaking of critical, look at what the results could be from the Windows security issues:
"'An att
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Gates highlights improvements in Office 2003 over Office 2000 during the product launch!
It's arma-fucking-geddon!
I don't need no instructions to know how to rock!!!!
The programs we sell right now are not any good!
So, as soon as the next version comes out, buy it! We will have everything fixed, honest!
Looking for people to chat about multicopters, coding, music. skype: gtsiros
Ballmer states that there's "nobody who has his rear end on the line" with Linux.
...
I posit that Linux developers have something rather important on the line; their reputations, professional and personal. When you ship open-source code, you are showing the world how good, or how bad, you are. Your reputation can be made or broken by the code you release.
Contrast that with all too many developers in commercial shops, whose code is read by nobody but their immediate co-workers and nobody takes responsibility for bugs.
If Microsoft employees' asses are on the line, show me a firing or two every time a security hole shows up. And not just the line programmers; bring me the heads of the designers who designed things badly, the project managers who made hitting deadline more important than getting it right, and the managers who let it all happen.
I would say that in the vast majority of cases, commercial programmers' asses are NOT on the line, in terms of security problems. As long as you crank out code fast enough to keep up with your co-workers
Of Course Windows is more secure than linux, once you disconnect it from the network...
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Ballsack^H^H^H^Hmer said: "The data doesn't jibe with that. In the first 150 days after the release of Windows 2000, there were 17 critical vulnerabilities. For Windows Server 2003 there were four. For Red Hat (Linux) 6, they were five to ten times higher"
Why don't we compare Windows Server 2003 to RedHat Enterprise v3? Or Windows 2000 to RedHat 9? RedHat 6? That's what, 3-4 years old now!
And don't make me bring up WinME, Steverino.
"There is no road map for Linux, nobody who has his rear end on the line. We think it's an advantage a commercial company can bring--we provide a road map, indemnify customers. They know where to send e-mail." Steve Ballmer said. He neglected to add "It's not like we read that email, but at least you know where they can stick it - sorry, I mean send it", but was clearly thinking it.
Craft Beer Programming T-shirts
No, no and no.
"It's too hard to find things in e-mail." translation: "We're going to start the murmurings now for a proprietary database-backed email system, from back end to user interface."
By making comments like this now, Bill will have leverage against the DoJ when they bring up the spectre of the anti-trust settlement. "It's a necessary feature--we recognised that back in 2003."
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
I guess that's what happens when you bloat Office up with pinball games, flight simluators and 3D Doom clones.
That's the most ignorant thing I've read on here in a long time. Call your parents right now and ask them what their computer runs. They'll say Windows. Then ask them what Linux is. They'll say "A character in Charlie Brown?" Then call your kids junior high teacher and ask her, then call your priest and ask him, then call your gay uncle and ask him. The masses have no idea what Linux is, let alone anything about it's security vs. that of Windows.
sPh
"There is no road map for Linux, nobody who has his rear end on the line."
Quick, alert Linus and the rest of the kernel maintainers and planners. Also, better not spread around the road map for Linux so Ballmer won't look like a fool.
" We think it's an advantage a commercial company can bring--we provide a road map, indemnify customers."
ROFL! Indemnify?! Ever read a Microsoft EULA? You're on your own, buddy. How stupid does he think people are? Never mind, don't answer that...
" They know where to send e-mail. "
Oh, puleeeze! Ever try to complain to Microsoft about a bug in their software? Now, take that to the next level. Ever try to complain to one of their software developers about a bug in the particular software they wrote? What's that? You have no idea who wrote that piece of software? And you have no way of finding out? So tell me again where the accountability is.
"None of that is true in the other world. "
Uh, precisely the opposite of what you said, but thanks for playing anyway. Tell Steve what he's won. Seriously, it really is just the opposite. Linux code comes with people's name on it. You want accountability? Put your name on software used by millions and put it out into the world to be dissected.
"So far, I think our model works pretty well,"
(Wiping the tears from my face while I shake with laughter) If the current mess of the state of Windows is his idea of things working "pretty well," oh never mind...This speech sure wasn't directed at the cluefull.
That means, of course, that most reporters will report it verbatim and at face value. *sigh*
Ballmer proceeded to point at the thin air next to him for three minutes while muttering what sounded like 'their little pig eyes they bore into my soul like dirty knives' and scanning the audience.
"What about the security issues?" asked Jayson Blair, cub reporter for D-Cup Magazine.
"And those button bars with the sometimes incomprehensible tiny icons. Those are works of art!" cried Ballmer. "If you can't understand what one means, you are nothing more than an animal. An animal, I tell you! Do you hear? An animal who sleeps in his own wastes and eats his own children! Die!"
"Do you have any data to back up your claim of being more secure than Linux?" asked Asian reporter Trish Takinawa of Channel 104 Public Access in Parumph, Nevada.
"Data!" thundered Ballmer. "We're freaking Microsoft, toots! We don't need any stinking dat-"
Ha ha! This has gone far enough!" said a swarthy man in ninja clothing from the back of the crowd as he leapt up onto a dusty platform festooned with tattered remnants of long dead happiness.
"So! Phil Schiller. Head of Marketing at Apple Computer," Ballmer said. "I wondered when we'd meet again."
"And it is as I said, ha-ha, at a time and place of my design, ha-ha!" heckled Schiller has he drew his adamantine katana from it's sheath. Gold plated depleted uranium throwing stars twinkled and glistened with righteousness in his other hand.
Strange alien devices began to scuttle threatingly from Ballmer's massive pores. They dripped with sweat. The sweat hit the floor and burned little holes.
Reporters scattered in a storm of makeup and microphone cable. Somewhere, a bird of prey cried out. A baby cried. Someone broke Godwin's law for the 5000th time that day. An charmed quark spontaneously appeared, but only briefly.
Schiller's bright eyes started down the angry monkey eyes of his eternal nemesis, and the world held it's breath...
--- Ban humanity.
You are a regular laugh riot. RTFM. There is a preferences setting if you don't want to read about MS. Use it or shut up about the number of MS stories. It's really that simple. The quantity of different types of stories on Slashdot is probably directly related to the number of submissions on those topics made by readers.
.sig) of MS and Linux security issues.
I'm not even going to get into the logical fallacies going on with your comparison (via
I do not have a signature
My father has his own accounting firm. When the software vendor for his tax program told him they were announcing end-of-life support for their Windows 98 software, he faxed back their announcement with "so support LINUX!" written across it in big black sharpie ink.
Stupid sexy Flanders.
Do we really need another bash-Microsoft article obsessively dissecting one sentence Bill Gates made at some promotional speech or interview or whatever?
Um, it was the Washington Post reporting on the "sentence" (although it was probably more on the orders of a paragraph or two), not Slashdot. We're not dissecting the sentence here. It's pretty clear that MS is going to have to make the sale based on overhyping the features of the new version and badmouthing the old. This sort of thing happens in companies all the time -- Clorox bleach had a big promo for powdered Bleach by badmouthing liquid bleach, their #1 product.
Just like a site focusing on Green Party politics would be crazy not talking about news concerning the Bush administration, it's important to talk about Microsoft here because for the forseeable future it will be that 800-lb gorilla that affects everything else in the tech industry.
If you really want to complain about excessive coverage, it seems like Apple has gotten more than its fair share of articles in the past week, too. Gee, maybe that's because there are a lot of newsworthy events going on with that company.
Things are happening with both Microsoft and Apple this week; big news items ( horrible security exploits patched followed by big talk from Balmer, iTunes for Windows, a Mac-based cluster possibly making #4 or #5 of the top 500 supercomputers). Maybe some things are happening on the Linux front; maybe not. But Linux is based around a community of nerds, not on a corporation with a snazzy PR department.
In a sense, this is exactly what makes Linux an ideal server platform: it's not "features" focused, and it's more into substance than style. It's also why it's less likely to break into the home desktop market any time soon (although it stands a chance in large-volume corporation and school environments).
Karma: Chevy Kavalierma.
It's hard not to laugh at the bully when he complains about being picked on.
Anyways, I'm ready to keep bashing Microsoft until they get their bloody act toghether and no amount of whimpering will change my mind.
Open source is about calling things the way they are: saying as loud as possible when something important sucks and need to be re-written. In Linux, thats what happens: when it sucks badly, it gets re-written. This is a concept most corporations often have a hard time digesting because it's too expensive for them.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
It may be funny, but I wasn't kidding. He's been asking me about linux for years, and as his small office grew from one machine to two, then three and four, he found out the hard way that Windows was never built to "share", that it's always just been one kludge on top of another to print to a remote printer, share files, and share applications.
That last one is the real sticking point. A good server with several clients is the ideal solution for a place like his (think thin). The way he's got it now, because of his slow growth into it, he's got to install the software on all the machines, the data is spread out all over the place, all the drives have different names on different machines (like I said - he grew into it without planning ahead, so you can blame that on him, but to name drives differently now would break everything).
When I told him about the ideal thin client solution, he thought that was an amazing concept. What's more amazing is how long the concept has been around and not implemented without kludgy hacks in Windows.
I could blather on and on about it, but it's not worth it. The software company doesn't care about Linux, and I've reminded him he's got other software that won't work in Linux. However, I believe he'd make the effort to switch if his primary accounting software was available in Linux - and if he could keep around the old versions (he's got to keep records for a certain number of years), maybe by using WINE or something.
Stupid sexy Flanders.
No, you're right. We should leave poor MS alone. They're obviously confused. After all, this is the same company who during the antitrust trial, said they couldn't share their source code with anyone due to national security concerns if the code got into the wrong hands.
Then later (2002) they told a federal court that sharing information with competitors could damage national security. And even said the code was so flawed it could not be safely disclosed.
Then in early 2003, they agreed to share the source code with China.
So it seems clear to me that they are confused and just need our sympathy. After all I'm sure they wouldn't intentionally risk our national security nor lie about the risks of sharing their source on the stand in federal court.